Dear Simplii Financial client:
We have implemented enhanced online security measures in response to a claim received on Sunday, May 27 that fraudsters may have electronically accessed certain personal and account information for some of our clients.
In addition to the steps that Simplii has taken, we recommend that clients:
Always use a complex password and pin (eg. not 12345)
Monitor their accounts for signs of unusual activity
Clients who notice suspicious activity are encouraged to contact Simplii Financial. If a client is a victim of fraud because of this issue, we will return 100% of the money lost from the affected bank account.
We take this matter seriously and will be reaching out individually to clients who may be impacted. Updated information will be posted here as it becomes available.
Michael Martin, SVP Simplii Financial
Bank of Montreal and online bank Simplii Financial have both suffered apparent data breaches and are warning that “fraudsters” claim to have accessed personal and account information belonging to tens of thousands of customers.
Both banks were contacted Sunday by the alleged perpetrators, and the attacks appear to be related, according to a BMO spokesperson.
BMO, which is Canada’s fourth-largest bank, said the alleged hackers claim to have obtained sensitive information belonging a “limited number” of clients, and threatened to make that data public. The bank believes that fewer than 50,000 customers are affected, and that the attack originated outside Canada. A “thorough investigation” is under way, according to spokesperson Paul Gammal, and BMO has notified “all relevant authorities” as it assess the potential damage.
Story continues below advertisement
“We are confident that exposures identified related to customer data have been closed off,” Mr. Gammal said in an e-mail. “We are notifying customers who may have been impacted.”
Also: CIBC profit climbs sharply despite cooling of mortgage growth
Simplii also received a claim of an alleged breach involving information for as many as 40,000 customers on Sunday, and “began investigating to understand the claim and verify its accuracy.” The bank plans to reach out to customers who may be affected, and said it has implemented “enhanced online fraud monitoring and online banking security measures.”
“We’re assessing any potential impact,” spokesperson Olga Petrycki said in an e-mail.
Simplii is a low-cost online bank owned by Canadian Imperial Bank of Commerce, and was launched last year after CIBC – which is Canada’s fifth-largest bank – split from a two-decade partnership with Loblaw Cos. Ltd. Simplii has about two million clients, many of whom were moved over from President’s Choice Financial when CIBC ended its relationship with Loblaws, and competes with digital rivals such as Tangerine Bank, EQ Bank and Alterna Bank.
Neither Simplii nor BMO would say whether the alleged fraudsters demanded ransom in return for client information, but Ms. Petrycki added: “It is our practice not to pay ransom demands as it encourages further fraudulent activity.”
There is no indication that CIBC clients are affected by the breach. And representatives from Canada’s four other largest banks – Royal Bank of Canada, Toronto-Dominion Bank, Bank of Nova Scotia and National Bank of Canada – confirmed there is no sign their customer data has been accessed.
“We’re taking this claim seriously and have taken action to further enhance our monitoring and security procedures,” said Michael Martin, a senior vice-president at Simplii, in a statement. “We feel that it is important to inform clients so that they can also take additional steps to safeguard their information.”
Story continues below advertisement
Story continues below advertisement
Simplii is promising to fully reimburse clients who suffer from the apparent fraud. And both BMO and Simplii are advising clients to notify their financial institutions about any suspicious account activity.
In recent days, some Simplii customers contacted by The Globe and Mail found they had been locked out of their accounts, login information was changed, and fraudulent e-mail transfers were sent.
Jennifer Gaudet, a Simplii client in Ottawa, found she couldn’t log in on Friday and Saturday, and didn’t recognize the security questions on her account. She reset them, but the next day she again had trouble logging in and found the security questions had changed again. Her account had been frozen, but not before multiple e-mail transfers had been sent to a contact whose e-mail address had also been altered. One transfer was for $2,889 and Ms. Gaudet received no notification.
When she contacted Simplii, the bank set her up with a new account, but she has not yet been reimbursed the $2,889 or the $3.50 fee for cancelling the transaction. She was told it could take seven to 10 days.
“I am very worried about how much information this hacker could have. Does he have my home address, my date of birth?” Ms. Gaudet said in an e-mail. “I feel violated by the whole situation.”
Robin Clark, a Toronto-based journalist who has banked with Simplii and the former President’s Choice Financial for more than three years, first learned something was wrong last Tuesday when he tried to log in to pay his hydro bill. His password wouldn’t work, and after several tries his account was locked.
Story continues below advertisement
When he called Simplii, a representative told Mr. Clark his account had been flagged due to a suspicious e-mail transfer totally nearly $3,900, sent to a recipient he didn’t know. Because the transfer was deemed suspicious, the money never left his account. But he had to create a new account to replace the one that had been compromised, just as his month-end bills were about to come due.
“Because they don’t have branches, the process for doing that is they send you a secure email with a bar code, and then you have to take that and a driver’s license to Canada Post, and they scan it directly to Simplii Financial,” he said.
That secure e-mail took 36 hours to arrive, and it took several days to restore full access to his account. Though he’s pleased with the way Simplii handled the fraud, he still hasn’t received a notification about a wider data breach from the bank.
“It’s not clear and I don’t really think they have gotten the message out as they should have,” he said in an interview.
BMO and Simplii Financial, which is CIBC’s direct banking brand, are warning that “fraudsters” may have accessed some customer accounts.
BMO said it received a claim on Sunday, May 27 that the personal and financial information of “a limited number of customers” had been illegally accessed. The bank said it believes the attack originated from outside the country.
The bank said it is “confident” that “exposures identified related to customer data have been closed off.”
The warning from BMO follows similar news from Simplii, which said fraudsters may have electronically accessed data from 40,000 client accounts.
Simplii said it has implemented additional online security measures as it continues to investigate. The changes include enhanced online fraud monitoring and online banking security measures.
READ MORE: CIBC sees bumpy transition of PC Financial accounts to Simplii
Both banks said they are reaching out to clients and advised customers who notice any unusual activity to get in touch.
A message appearing on the Simplii app on Monday says that “fraudsters may send messages asking for personal information.” The bank said to send any suspicious correspondence to fraud@simplii.com.
Simplii said that clients who are victims of fraud because of the issue will receive 100 per cent of the money lost from the affected bank account. It added that there is no indication that clients who bank through CIBC have been affected.
With files from the Canadian Press
Immediately upon learning of the potential issue, Simplii began investigating to understand the claim and verify its accuracy. We also moved quickly to implement enhanced online fraud monitoring and online banking security measures. In addition, Simplii will be reaching out to clients proactively through all channels.
"We're taking this claim seriously and have taken action to further enhance our monitoring and security procedures," said Michael Martin, Senior Vice-President, Simplii Financial. "We feel that it is important to inform clients so that they can also take additional steps to safeguard their information."
In addition to the steps that Simplii has taken, we recommend that clients:
Always use a complex password and pin (eg. not 12345)
Monitor their accounts for signs of unusual activity
Clients who notice suspicious activity are encouraged to contact Simplii Financial. If a client is a victim of fraud because of this issue, we will return 100% of the money lost from the affected bank account.
Simplii Financial is CIBC's direct banking brand. There is currently no indication that clients who bank through CIBC have been affected.
About Simplii Financial ™
Simplii Financial is committed to delivering simple, straightforward banking. With a fully mobile experience clients enjoy no-fee daily banking with no minimum balance and high interest savings rates. Offering 24/7 access to online, mobile and telephone banking as well as access to a national network of over 3,400 CIBC ABMs, Simplii Financial delivers a simple and easy way to bank. Life's busy. Bank Simplii™. For more information about Simplii Financial please visit www.simplii.com or by following on Twitter @SimpliiFin or on Facebook.
SOURCE Simplii Financial
For further information: Olga Petrycki, Public Relations | 416-306-9760 | olga.petrycki@simplii.com